IETF Logo Mail Archive

Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and diffie-hellman-group1-sha1 (1024-bit DH)

Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 20 July 2017 02:51 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96970129ACD for <curdle@ietfa.amsl.com>; Wed, 19 Jul 2017 19:51:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r7tJxtpZJtc3 for <curdle@ietfa.amsl.com>; Wed, 19 Jul 2017 19:51:33 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B6B2129AAD for <curdle@ietf.org>; Wed, 19 Jul 2017 19:51:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1500519093; x=1532055093; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=KmUdeCNnCZNeTLTMygT8XNWSK7BsEvdy4ts8S5eQdEQ=; b=nC/lEb8pwc75MWJ931rGECQtQ93he8o7ULUMKe9iO4YD7EeWuHo6XbEU e9TwjaSP0Tyu7EKNgt/3n3fomfvgKIproGc4j8Xg0i95NiPj3E/FI8kId JAk3vWQ8f/fLWadPdgzeGfHuCKr/OfNV/8Fvkc/MqWNXLplvjaVemKv8I CfPwmg+EEVyb+znFPIucXy6Fycm7lE5RASMfaYz4DkeGtz//VjkYJWDlo t5DQ6abQuZXAb4Bpp9+P1vJk40+BBt1rC7sybUKTZItqriHjtCarXhSnD jhDtaoX7ak6+C3Xnjlo0JbRdUEWl8d8xH54knxsVRy9wccEbp/a9Z+u35 A==;
X-IronPort-AV: E=Sophos;i="5.40,382,1496059200"; d="scan'208";a="166754832"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.3 - Outgoing - Outgoing
Received: from uxcn13-ogg-b.uoa.auckland.ac.nz ([10.6.2.3]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 20 Jul 2017 14:51:30 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-ogg-b.UoA.auckland.ac.nz (10.6.2.3) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 20 Jul 2017 14:51:30 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::6929:c5b:e4d6:fd92]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::6929:c5b:e4d6:fd92%14]) with mapi id 15.00.1263.000; Thu, 20 Jul 2017 14:51:30 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Damien Miller <djm@mindrot.org>, "Mark D. Baushke" <mdb@juniper.net>
CC: "curdle@ietf.org" <curdle@ietf.org>
Thread-Topic: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and diffie-hellman-group1-sha1 (1024-bit DH)
Thread-Index: AQHS/uRqIUk+oZW8gEGT/Uz9xKfLk6JYJMoPgAL7L4CAAOggyg==
Date: Thu, 20 Jul 2017 02:51:29 +0000
Message-ID: <1500519070842.37117@cs.auckland.ac.nz>
References: <22892.35863.542104.942153@fireball.acr.fi> <82005.1500305248@eng-mail01.juniper.net>, <alpine.BSO.2.20.1707201053511.14080@haru.mindrot.org>
In-Reply-To: <alpine.BSO.2.20.1707201053511.14080@haru.mindrot.org>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/nuWxIne-kDzovtjck6s3VSYzE7U>
Subject: Re: [Curdle] draft-ietf-curdle-ssh-kex-sha2 and diffie-hellman-group1-sha1 (1024-bit DH)
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 02:51:36 -0000

Damien Miller <djm@mindrot.org> writes:

>Opinion: there's still enough old junk out there that optional support for
>diffie-hellman-group1-sha1 is probably necessary for a while longer. IMO this
>is probably worth an explicit note in the draft.

That's the catch-22 with something like this, on the one hand you want to make
it MUST NOT so you've got something to hit vendors over the head with when
they keep using RSA512 with MD5, on the other hand if they've got existing
equipment they're just going to demand that you change your code to work with
it.

As an aside, it would be nice if OpenSSH had some single enable-legacy-mode
switch to re-enable all the MUST algorithms that are currently disabled,
having to send people to https://www.openssh.com/legacy.html so they can
figure out by trial and error which incantation they need to use each time
they can't interop with current versions of OpenSSH is a pain.  Or at least
change the error message to tell people what to do to make it work.

Peter.

v2.23.0 | Report a Bug | By Email